ISACA Reporting relevant IT risks to stakeholders

REPORTING RELEVANT IT RISKS TO STAKEHOLDERSMarc Vael, Brussels, 24 June 2015

WHO ARE THE STAKEHOLDERS?

Stakeholders can affect or be affected by the organization's actions, objectives and policies. Examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.






Big problem #1: Stakeholders all speak different “languages

WHAT ARE RELEVANT IT RISKS?

Information technology risk / IT risk / IT-related risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

Assessing the probability of likelihood of various types of event/incident with their predicted impacts or consequences should they occur is a common way to assess and measure IT risks. Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values.

IT risk has a broader meaning: it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.


Big problem #2: “Risk” is inherently subjective (qualitative)

MEASURING IT RISKS?

Information security event: identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.Occurrence of a particular set of circumstances. The event can be certain or uncertain. The event can be a single occurrence or a series of occurrences.

Information security incident: single or series of unwanted information security events that have a significant probability of compromising business operations and threatening information securityAn event that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.

MEASURING IT RISKS?Impact: result of an unwanted incident

Consequence: Outcome of an event There can be more than one consequence from one event.

Consequences can range from positive to negative. Consequences can be expressed qualitatively or quantitatively

R = L × ILikelihood of a security incident occurrence is a function of the likelihood that a threat appears and likelihood that the threat can successfully exploit the relevant system vulnerabilities.

Consequence of the occurrence of a security incident is a function of likely impact that the incident will have on the organization as a result of the harm the organization assets will sustain. Harm is related to the value of the assets to the organization; the same asset can have different values to different organizations.

MEASURING IT RISKS?

R can be function of four factors:

A = Value of the assets

T = Likelihood of the threat

V = Nature of vulnerability i.e. the likelihood that can be exploited (proportional to the potential benefit for the attacker and inversely proportional to the cost of exploitation)

I = the likely impact, the extent of the harm

MEASURING IT RISKS?

OWASP approach to IT risk

Estimation of Likelihood in a 0 to 9 scale:

Threat agent factors

Vulnerability Factors

Estimation of Impact in a 0 to 9 scale

Technical Impact Factors

Business Impact Factors

MEASURING IT RISKS?


Threat agent factors Skill level: How technically skilled is this group of threat agents? No technical skills (1), some technical skills (3), advanced computer user (4), network and programming skills (6), security penetration skills (9)

Motive: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)

Opportunity: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)

Size: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

MEASURING IT RISKS?


Vulnerability Factors: estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above. Ease of discovery: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)

Ease of exploit: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)

Awareness: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)

Intrusion detection: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

MEASURING IT RISKS?


Technical Impact Factors; estimate the magnitude of the impact on the system if the vulnerability were to be exploited. Loss of confidentiality: How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9) Loss of integrity: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9) Loss of availability How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9) Loss of accountability: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)

MEASURING IT RISKS?


Business Impact Factors: requires a deep understanding of what is important to the company running the application. Aiming to support risks with business impact, particularly if the audience is executive level. The business risk is what justifies investment in fixing security problems. Financial damage: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9) Reputation damage: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9) Non-compliance: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7) Privacy violation: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)

24

MEASURING IT RISKS?

MEASURING IT RISKS?

MEASURING IT RISKS?

MEASURING IT RISKS?


Big problem #3: The risks that frighten people are not the same ones that “kill” them.

WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT RISKS TO STAKEHOLDERS?

?














Big problem #4: Risks are difficult to compare across the board











ISACA Reporting relevant IT risks to stakeholders

Technology

information security

security relevant

business risk

security incident occurrence

information technology

related risk

stakeholders marc vael

examples of key stakeholders